Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro Research Article Legal Guarantees for the Protection of Patient Confidentiality: A CrossJurisdictional Study Mourad Benseghir*.
Maamar Bentria.
Adnan Ibrahim Sarhan.
Salih Ahmed Luhaibi.
Alaa Yakoob Yousif College of Law.
University of Sharjah.
United Arab Emirates *mbenseghir@sharjah.
ABSTRACT
This study examines the legal guarantees governing the confidentiality of patient information in Indonesia and the United Arab Emirates (UAE), two jurisdictions undergoing rapid digital transformation in their healthcare sectors.
As the adoption of electronic medical records, telemedicine, and health information systems expands, concerns surrounding the protection, governance, and misuse of patient information have intensified.
Through a normative and comparative legal method, this research analyzes the primary legislative instruments, regulatory mechanisms, and institutional arrangements that safeguard patient confidentiality in both countries.
The UAE has established a more unified and structured legal framework, particularly through Federal Law No.
2 of 2019 on the Use of Information and Communication Technology (ICT) in Health Fields and the Personal Data Protection Law No.
45 of 2021, which impose stringent obligations for secure processing, access limitation, and data Indonesia, on the other hand, has introduced key regulations such as the Health Law No.
17 of 2023.
Minister of Health Regulation No.
24 of 2022 on Medical Records, and the Personal Data Protection Law No.
27 of 2022.
however, challenges persist in enforcement consistency, system interoperability, and institutional capacity.
By comparing legal standards, confidentiality obligations, penalties for violations, and enforcement practices, this study highlights the strengths and weaknesses of both frameworks.
The findings underscore the need for Indonesia to enhance regulatory coherence, improve oversight mechanisms, and adopt best-practice elements from the UAE to reinforce patient information protection.
Keywords: Patient Confidentiality.
Patient Information Protection.
Comparative Health Legislation.
Indonesia.
United Arab Emirates.
INTRODUCTION
(Industry 4.
, which presents both significant Recent innovations driven by information opportunities and complex challenges for health and communication technology (ICT) have sector (Suyudi et al.
, 2.
Despite these profoundly transformed the ways in which advancements, health care technology innovation individuals interact, collaborate, and share continues to face numerous obstacles, including information, including in the health care sector (Abbott & Coenen, 2.
In line with global Nonetheless, the integration of technological tools trends, health information technology services have become increasingly essential, particularly treatment, care delivery, and rehabilitation, in the era of the Fourth Industrial Revolution making health services more efficient, effective.
Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro and patient-centered (Utomo.
Gultom, & Afriana, information relating to an individualAos medical history, current health condition, laboratory test All recent technological advancements Patient health information, is particularly vulnerable to Confidentiality.
Law professor Daniel J.
Solove misuse (Sarastri.
Saputro, & Hartini, 2.
defines privacy as an individualAos right to control Advances in technology have enabled medical the timing, manner, and context in which their records to be stored both physically and digitally, personal information is shared (Labadie & Legner.
In todayAos globalized and highly digitalized However, this ease of access also environment.
Patient Confidentiality is essential carries significant risks, including data breaches for three key reasons: safeguarding security, and the unauthorized use of sensitive health protecting individual rights, and fostering trust.
Individuals results, prescription records, and other identifying Two of the four categories of health-related data identified by Deven McGraw and Kenneth D.
Mandl are addressed in this article (McGraw & information (Alpiah et al.
, 2.
Mandl, 2.
Data protection is a legal requirement in Health data generated by the healthcare Indonesia as stated in Article 28, paragraph .
of system constitutes one of the two categories the 1945 Constitution of the Republic of discussed in this article.
Whenever a patient Indonesia.
The Constitution guarantees that receives medical treatment, clinical personnel every individual has the right to be protected from or medical equipment record information harm, including threats to their person, family, related to that encounter.
This includes honour, dignity, and property (Ardiansyah & electronic medical records, medication lists.
Ardiana, 2.
Law Number 27 of 2022 on laboratory test results, radiographs, pathology Personal Data Protection provides the primary images, and insurance claim data.
Clinical legal framework governing the collection, use, data documents both the patientAos medical storage, and safeguarding of personal data.
history and current condition and is essential There were 124 reported data breach Ministry Recording clinical information throughout a Communication and Information between 2019 patientAos life and enabling its exchange among Of these, 111 cases involved the healthcare providers are crucial for improving leakage of personal data (Ardiansyah & Ardiana, the quality and continuity of care.
Because of Personal health data, which includes its sensitive nature, the confidentiality of Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro clinical data is paramount.
For this reason, information collected through applications or most health-related legislation places strong software used by individuals to manage their emphasis on protecting the privacy and health independently.
These tools, devices, security of clinical information (Archer et al.
and platforms provide consumers with insights into their daily health status and play an Health and fitness data generated for public This category of supplementary health management, particularly for individuals with data complements clinical data.
It refers to chronic conditions (Alpay et al.
, 2.
Table 1.
Summary of Clinical Data and Consumer Health Data Clinical Health Data .
edical Consumer Health Data .
angible electronic Data Aspects networks, healthcare experts, gadgets and wellness application.
surgical tool.
Medical treatment networks.
Electronic gadgets .
, watches, bracelet.
Recorded By healthcare experts, and surgical wellness applications PatientsAo names, ages, addresses.
Personal information .
, name.
ID, phone, phone numbers, medical records, address, job title, age, weight, height, pulse.
Data Details family medical records, symptoms, respiration rate, blood pressure, glucose diagnoses, treatments, medications, levels, activity history, dietary preferences, and more online consultation.
Passive data stored in the Collected from diverse sources, ongoing healthcare system, discrete.
Data standardization, high volume, more privacy professionally managed, clinically Characteristics concerns, and managed by multiple private oriented, with stronger privacy service providers Source: (Institute of Medicine (US) Roundtable on Value & Science-Driven Health Care, 2.
(Ivan, 2.
As the healthcare industry continues to accessibility, and quality of healthcare services.
collect, store, and transmit increasing volumes of However, this rapid digital transformation has data, concerns about patient privacy have also exposed patient information to greater risks become more prominent (Meinert et al.
, 2.
of unauthorized access, improper use, and data Sensitive health information is particularly Given the highly sensitive nature of health vulnerable to misuse and breaches, making its data, which often includes medical diagnoses, security a critical priority.
The digitization of personal identifiers, and behavioral information, health records ranging from electronic medical ensuring its protection is not only a technical records (EMR.
to data generated through necessity but also a legal and ethical obligation wearable devices and mobile health applications (Lestari et al.
, 2.
has undoubtedly enhanced the efficiency.
Numerous Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro frameworks have been established worldwide to For example, the Medical Practice Law govern and protect medical data.
Indonesia and Number 29 of 2004 (Utomo.
Gultom, & Afriana, the United Arab Emirates (UAE) are two 2.
, requires that all doctors, dentists, and countries that have made significant progress in heads of health service facilities create accurate developing regulations on the confidentiality and medical records and maintain their confidentiality.
security of health information.
In the UAE, the In todayAos digital environment, individuals are protection of patient privacy, the processing of increasingly integrated into digital systems, often health data, and the use of such data for at the cost of reduced control over their personal evidence-based information and diminished data sovereignty regulated by Federal Law No.
2 of 2019 Use Information (Eckhoff & Wagner, 2.
Numerous Communication Technology in the Health Sector.
legislation to ensure the confidentiality of patient Health Patient Confidentiality in the UAE is information, recognizing its importance on a governed both by federal legislation and by the global scale.
Although national approaches to specific rules of special economic zones such as the Abu Dhabi Global Market and the Dubai international and regional frameworks provide International Financial Centre.
These frameworks shared foundations for safeguarding privacy.
draw inspiration from international standards, the end of 2019, 142 countries had adopted including the EUAos General Data Protection Patient Confidentiality laws, a significant increase Regulation.
The Dubai International Financial from 62 countries in 2010 (Greenleaf & Cottier.
Centre Data Protection Law No.
5 of 2020 and Indonesia and the UAE are among the the Abu Dhabi Global Market Data Protection nations that acknowledge the necessity of Regulations 2021 impose strict requirements for protecting citizensAo health information from the protection of personal data, including health misuse and preserving their fundamental rights.
information (Alhajaj & Moonesar, 2.
Comparing the legislative frameworks and health Law 17 of 2023 on Health was enacted in Patient Confidentiality regimes of these two Indonesia with a similar objective.
This legislation countries therefore offers valuable insight into regulates several aspects related to patient how each system operates, and allows us to Patient Confidentiality within the Indonesian identify the strengths and weaknesses of their health system.
Articles 114 and 116 emphasize respective regulatory models.
the obligation to protect the confidentiality of Individuals' rights over their personal data patientsAo medical records.
Indonesia also has constitute a central element of modern Patient additional sector-specific laws addressing this Confidentiality regulations (Wilona.
Latifah, & Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro Purwadi, 2.
In the United Arab Emirates.
Both nations must urgently strengthen the regulations such as Federal Decree-Law No.
protection of patient health records against of 2021 on Personal Data Protection, along with the frameworks applied within the Dubai Comprehensive regulations clearly defining data International Financial Centre and the Abu Dhabi Global Market, grant individuals the right to accountability mechanisms are essential.
access, rectify, and erase their data.
These rights information and communication technologies ensure that individuals can exercise control over continue to evolve rapidly, the issue of medical their personal information and pursue remedies in Patient Confidentiality has become a central topic cases of misuse (Nair & Ibrahim, 2.
in global legal and policy discussions (Ohoiwutun Indonesia provides similar protections, including et al.
, 2.
the rights to access, correct, delete, and restrict The governments of many countries have the processing of personal data.
These rights are adopted regulations aimed at protecting the intended to enhance individual autonomy and privacy of citizensAo health information.
promote greater transparency regarding data Indonesia, several legal instruments regulate the However, the practical effectiveness of these protection of health data, as noted by Pratama protections remains heavily dependent on the RA .
These include Law No.
11 of 2008 on consistency and rigor of law enforcement Electronic Information and Transactions and practices (Suari & Sarjana, 2.
Minister of Health Regulation No.
24 of 2020 Compliance with data privacy legislation concerning electronic medical records.
Despite authorities and the imposition of sanctions.
In the implementation challenges remain particularly the United Arab Emirates, violations of Patient limited awareness and understanding of Patient Confidentiality Confidentiality obligations among the public and administrative penalties.
In Indonesia, individuals healthcare personnel (Hendra et al.
, 2.
who infringe upon Patient Confidentiality rights Both countries must take urgent steps to may face both civil and criminal sanctions protect patient health records from unauthorized (Anggraeni.
Ensuring Clear ultimately falls under the responsibility of the designated supervisory authorities in each However, the central challenge As information and communication remains achieving consistent and effective technologies rapidly evolve, health Patient enforcement across the entire country.
Confidentiality has become a central issue in Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro international policy and legal discussions.
Globally, and greater alignment with international dataenacted Persistent various rules to safeguard the confidentiality of identified across the region include limited citizensAo health information.
In Indonesia, several legal instruments regulate health data protection, compliance among stakeholders, cybersecurity including Law No.
11 of 2008 on Electronic vulnerabilities, and obstacles related to cross- Information and Transactions and Minister of border data exchange (Iswandari & Hoque.
Health Regulation No.
24 of 2020 on Electronic Medical Records.
Despite The UAE has also had its fair share of successes and failures in recent years when it comes to enforcing regulations protecting the Confidentiality privacy of patients' medical records.
Health obligations among both the public and healthcare Patient Confidentiality is an important topic, an Sarabdeen.
Patient Moonesar, .
Heriyanto .
examined the legal regulatory frameworks in the United Arab frameworks and safeguards governing the Emirates (UAE) to those of the EU and USA.
privacy of patientsAo medical records in three They found that patient confidentiality remains far Southeast Asian countries: Laos.
Singapore, and from meeting international standards.
To improve Indonesia.
His comparative study evaluates key DubaiAos e-health regulatory framework, they components such as patientsAo rights, data proposed several areas for enhancement, security standards, consent mechanisms, cross- particularly regarding patient confidentiality and border data transfer regulations, and the roles of the mechanisms required to ensure its effective national data protection authorities.
The findings protection (Sarabdeen & Moonesar, 2.
reveal notable differences in the strength and Although many countries have made effectiveness of the three systems.
SingaporeAos notable progress in protecting medical records.
Personal Data Protection Act stands out for its the literature indicates that significant challenges comprehensive approach, robust enforcement remain before robust and harmonized standards data-breach for Patient Confidentiality and security can be fully reporting obligations.
In contrast, although Laos This underscores the importance of and Indonesia have taken important steps toward raising public awareness about health information protecting patient information, both countries still privacy rights and empowering individuals to require significant improvements.
These include exercise greater control over their health data.
clearer procedures for reporting data breaches Educational initiatives play a critical role in Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro improving public understanding of data security, 2018 (Sarabdeen & Moonesar, 2.
and in 2025 consent, and individual rights related to the (Sarabdeen & Ishak, 2.
, provide comparative handling of personal health information.
insights into data protection regulations and There is limited regional and international practices in the public and health sectors across Southeast Asia.
regulations governing medical records in the UAE To shed new light on the topic, this study and Indonesia.
This gap highlights the need for a compares and contrasts the legal frameworks and more systematic analysis of how these two medical Patient Confidentiality regulations of countries regulate, implement, and enforce health Indonesia and the United Arab Emirates (UAE).
data protection.
By examining and contrasting Its novelty lies in examining medical Patient their respective legal frameworks, this research Confidentiality through a dual-system perspective, seeks to deepen our understanding of the assessing not only the statutory provisions but effectiveness of existing regulations and their also the enforcement practices adopted in each practical application in different institutional Thus, the study goes beyond merely To support this objective, a concise outlining existing regulations.
it evaluates how literature review was conducted to frame the both jurisdictions penalize and respond to discussion and situate both countries within the violations of patient data confidentiality.
While broader landscape of global health Patient previous research has largely focused on single- Confidentiality initiatives.
country assessments or broad regional overviews Many studies have explored different without in-depth bilateral comparison, this study dimensions of privacy and personal data addresses that gap by offering a more nuanced protection, with several focusing on the legal and practical understanding of the strengths and frameworks and policy implementation in specific weaknesses of each system.
For example.
Simamora .
This study seeks to answer two main examines how Indonesia safeguards the privacy research questions based on the discussion rights of COVID-19 patients, while research by Lintang and Triana .
reviews personal data .
How do the legal frameworks and medical Patient Confidentiality regulations of Indonesia IndonesiaAos administration system.
In the UAE context.
Alhajaj and the United Arab Emirates (UAE) compare? and Moonesar .
analyze public perceptions .
How do the penalties and enforcement and the practical implementation of technological mechanisms for breaches of medical Patient tools designed to protect personal data in Dubai.
Confidentiality differ between Indonesia and the Furthermore, studies by Sarabdeen published in UAE? Law Reform, 22.
, 2026, 82-112
Master of Law.
Faculty of Law.
Universitas Diponegoro
RESEARCH METHODS
and ensure the confidentiality of medical records.
The normative legal research method is The objective is to explore more deeply the extent used in this study to evaluate and understand the of the state's obligation to safeguard the privacy rules, principles, and standards that operate rights of its citizens.
Accordingly, this study within social, ethical, and legal frameworks.
This analyzes the legal provisions governing medical method aims to determine what the law should prescribe by analyzing legal norms, doctrines, consequences imposed on individuals or entities and principles contained in statutory regulations, that violate these protections.
legal dictionaries, and relevant literature.
It is appropriate for this research because it RESULTS AND DISCUSSION focuses on assessing the adequacy and UAE Legal Framework consistency of legal provisions governing the The Federal Law No.
2 of 2019, also protection of medical Patient Confidentiality.
known as the Federal Law Concerning the Use of addition, the study employs a comparative Information and Communication Technology in method to examine how these legal protections the Health Sector in the United Arab Emirates, are enforced in both the United Arab Emirates represents a major advancement in regulating and Indonesia.
and protecting health data in the country.
Prior to The legal materials used consist of primary its enactment, the legal framework governing Patient Confidentiality and health information was regulations, and judicial decisions, as well as The law now requires healthcare commentaries and scholarly articles.
These providers, insurance companies, and other sources are collected through document analysis related entities to comply with strict rules and systematically compared to identify key governing the collection, processing, and transfer differences and similarities in each countryAos of health data.
It stands as the first federal privacy law in the UAE specifically dedicated to the (Amiruddin & Asikin, 2.
protection of health information.
This study compares the first issue The United Arab Emirates (UAE) approved formulation concerning the enforcement of laws Federal Decree-Law No.
45 of 2021 on Personal on medical Patient Confidentiality in the United Data Protection on November 5, 2021.
This Arab Emirates and Indonesia.
It examines how both countries establish and implement the legal framework governing the collection, processing, frameworks designed to protect patient privacy and use of personal data, with the primary Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro objective of safeguarding individualsAo Patient information may only be obtained with the data Confidentiality.
It serves as the UAEAos federal- subjectAos level data protection law and operates alongside permitted by law, and it must be stored securely other sector-specific regulations, ensuring a more to prevent unauthorized access or disclosure.
The coordinated approach to protecting personal regulation further specifies that only authorized information across different fields (UAE Ae Data individuals or entities may access personal data Protection Overview, 2.
and solely for legitimate, predefined purposes.
The Federal Decree-Law requires all highlight the key similarities and differences organizations that handle personal data to between the regulatory frameworks of the UAE implement a comprehensive data protection and Indonesia, the following table provides a strategy (Abouahmed.
Kandeel, & Zakaria, 2.
concise comparative overview.
This summary This strategy must clearly outline the purposes of also serves as a transition to the subsequent data collection, the methods of processing, and section, which examines how health data is the restrictions on data use, ensuring that all processed in both jurisdictions.
personal data is handled lawfully.
Personal Table 2.
Comparative Summary of Legal Frameworks Governing Medical Patient Confidentiality in the UAE and Indonesia Aspects of Regulation Legal Basis Scope of Protection Responsible Authority Sanctions for Violations Implementation Challenges Technological Readiness United Arab Emirates (UAE) Indonesia Federal Law No.
2 of 2019.
Federal Decree-Law No.
45/2021.
Health Data Law .
Covers personal health data in digital systems, including AI and electronic UAE Data Office.
Ministry of Health and Prevention Administrative fines, suspension of licenses, criminal charges Need for harmonization across emirates and coordination between federal and local authorities.
Advanced digital health infrastructure.
integrated national health data strategy Law No.
27 of 2022 on Personal Data Protection.
Law No.
17 of 2023 on Health Protects personal data, including health information, collected by healthcare institutions and platforms Ministry of Communication and Informatics (Kominf.
Ministry of Health Administrative, civil, and criminal sanctions.
fines and imprisonment Weak institutional coordination, limited resources, and public awareness Fragmented digital systems.
interoperability among health data systems Source: AuthorAos own research .
If individuals suspect that their data has the offense.
Article 7.
of the UAE Personal Data been mishandled or improperly used, they may Protection Law requires personal data to be file a complaint with the relevant authorities.
prevent future violations, the law imposes unauthorized access.
It also obliges data penalties that correspond to the seriousness of controllers to ensure that personal data is stored Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro securely and accessed only by authorized specific legal reasons.
Article 4 paragraphs .
Article 8.
strengthens this obligation by and .
of Federal Decree-Law No.
45 of 2021 emphasizing that only individuals who are legally outline this regulation.
Accurate and thorough permitted may process personal data.
As a result, documentation of data collection procedures, access rights must be clearly defined, including including information on the data's intended use, information on how personal data is used and the is required when collecting personally identifiable mechanisms through which it is accessed.
information (GDPR.
EU, 2.
Additionally, the Dubai Health Authority In light of the complexity of Patient oversees and enforces health standards in both Confidentiality and security in the digital age, public and private healthcare institutions in Dubai.
these standards constitute a substantial advance.
This strategy is a key component of a well-run Federal Law No.
2 of 2019 and Federal Decree- healthcare system, and it reflects the Dubai Law No.
45 of 2021 demonstrate a firm dedication Health to safeguarding personal information and public preservation and improvement.
To ensure health in the United Arab Emirates, while compliance with the processes and regulations international pressures like the General Data outlined in Federal Law No.
2 of 2019 and Protection Regulation offer further incentive to Federal Law No.
45 of 2021, the Dubai Health enhance data protection standards generally.
Authority has designated a Data Protection UAE Medical Privacy Data Processing Authority's Officer to oversee matters about the security of The proliferation of data from mobile patient records.
The Data Protection Officer's networks, computer systems, health apps, and primary responsibility at the Dubai Health Authority is to handle complaints of data leaks expansion of patient data and information for and implement measures to rectify the situation.
health care.
These systems are becoming more The Personal Data Protection Law of the Kumar N & Manjula stressed that United Arab Emirates (UAE) incorporates several hospitals and other medical centers produce vast provisions and guidelines from the General Data Protection Regulation (GDPR).
The General Data treatments, illnesses, studies, and related topics Protection Regulation only permits the collection (Kumar N & Manjula, 2.
Electronic medical of personal data with the consent of the data records (EMR) are a digital platform that may be subject or as mandated by law.
A regulation in the used to manage health data.
Patients' vital United Arab Emirates stipulates, among other records are abundant on this platform.
From things, that obtaining personal information patient demographics to test findings, imaging, requires the consent of the data subject or and radiology, it's all recorded in the EMR.
The Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro symptoms and development of illnesses may be the efficiency and resilience of different data (Gao better understood with the use of data stored in et al.
, 2.
, and .
a system that collects patient the EMR (Effoe et al.
, 2.
Results from the information from multiple databases.
The process Lifestyle Intervention for Treatment of Diabetes of linking devices and gathering data begins here.
study demonstrate the effective use of electronic This is critical when optimizing multiple databases health data in clinical trial recruitment.
EMR can (Zhang & Hansen, 2.
Social and legal technicalities may present progression, comorbidities, and mortality (Paxton, obstacles to the collection of health big data.
Niculescu-Mizil, & Saria, 2.
Electronic health These social and legal issues may arise due to records, household sensors, and wearable technology are just a few places you may find this identification, and health governance (Mittelstadt data (Laney, 2.
& Floridi, 2.
As health information becomes Big data in health refers to data sets that are too big for traditional computer algorithms to addressing these concerns through clear legal analyze (Wang et al.
, 2.
Sorted according to frameworks and ethical standards is essential to its structure, big data may be either fully or ensure trust and compliance within health data partially organized.
First, there is a specific format for storing, retrieving, and processing structured Article 12 of the Federal Law mandates Unlike the previously mentioned layout of that the UAE's health data adhere to ministerial structured data, unstructured data lacks a clear regulations, requiring coordination with the structure, resulting in a distinct and dedicated Minister of Health.
This is consistent with Article type of data that is easy to obtain and understand.
13 of the Federal Law, which establishes According to Wu and Lin, there are a lot of obligations for the storage of healthcare data and processing issues with this data type when it information both within and outside the UAE.
comes to retrieving meaningful information (Wu & Health data or information may not be stored.
Lin, 2.
Some examples of processing processed, created, or transmitted outside the resource limits include problems with data.
UAE about health services provided in the UAE, except through a resolution issued in support of technology (Adnan & Akbar, 2.
The existing health care data or information processors in approaches to data extraction from diverse, coordination with the Ministry, as per Article 13 unstructured, large data sets have significant (Coorevits et al.
, 2.
This article has sparked We use a holistic approach, using significant debate and controversy due to the fact suitable simulated healthcare datasets, to assess that numerous organizations process health data Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro and information outside of the UAE.
Nevertheless.
Backup Requirements: This provision also the UAE's healthcare data and information underscores the significance of having a backup management industry sectors are relieved by the system in place to prepare for data loss or system exceptions and exemptions to Article 13 provided .
Compliance and Supervision: This by Article 12 of Ministerial Decree No.
51 of 2021.
regulation mandates the establishment of servers The following exceptions are enumerated in and backups within the country to facilitate Article 2 of the Decree: .
Data utilized in regulatory oversight and compliance monitoring by authorities.
Data international organizations that collaborate with Indonesian Legal Framework the UAE government.
Data concerning One of the primary concepts of the 1945 samples sent to laboratories outside the UAE.
Constitution of the Unitary State of the Republic of Data required by insurance companies and claims Indonesia is that the state is responsible for the administration agencies.
Data collected by protection of the entire Indonesian nation and all basic medical devices and equipment.
Data Indonesian blood by ensuring social justice for all utilized in the provision of online health services.
Indonesians, as determined by unity.
The state's and .
Data concerned with patient diagnosis, protection of citizens' property rights illustrates treatment, or prevention.
this concept.
According to Article 28H, paragraph In addition.
Resolution No.
40 of 2019 4, of the 1945 Constitution of the Unitary State of pertains to the implementation of medical liability the Republic of Indonesia, every individual is law in the UAE and contains provisions entitled to private property rights, which may not concerning the provision of "Remote Health Services.
" Article 2.
of the resolution mandates (Taufiqurrohman et al.
, 2.
the existence of a server within the country to We are all aware that property rights are display and store information and backup regulated by Civil Law (Burgerlijk Wetboe.
(Tithecott & Jhala, 2.
These include the Despite Indonesia's independence, the 1945 following: .
Server Requirements: These Constitution of the Unitary State of the Republic of provisions mandate that remote health service Indonesia retains the validity of the law until a providers maintain servers within the United Arab new law replaces it.
Of course.
Article 570 of the Emirates' territorial jurisdiction.
Information Burgerlijk Wetboek regulates the authority and Storage and Security: These requirements are restrictions for property rights holders.
These designed to guarantee the secure storage of provisions also apply to the proprietorship of sensitive health information.
Safe and in medical records.
We understand that neglecting compliance with current laws and regulations, .
the obligation to protect information in patient Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro medical records violates both the patient's right to Furthermore, the public does not fully understand privacy and their property rights.
Furthermore, their rights regarding the privacy of health data.
accessing and using the contents of medical Health records without the patient's consent should not information, which constitutes a violation of violate their property rights (Daeng et al.
, 2.
medical Patient Confidentiality.
Nevertheless, the As a result, the confidentiality of medical data in government is making ongoing efforts to address Indonesia is critical for safeguarding patient this challenge by enhancing infrastructure and health information.
educating the public (Bunga, 2.
Law Number 36 of 2009 concerning health The government issued Minister of Health regulates the privacy of patient health data.
Regulation Number 269/MENKES/PER/i/2008 to underscoring the importance of medical record regulate medical records.
A health care provider According to Article 46, health maintains a medical record, which is a service facilities are required to maintain the compilation of medical information about a confidentiality of medical records.
Authorized This information encompasses the parties should have access to personal health patient's medical history, diagnosis, examination information, and patient consent is required for its results, medication prescriptions, and other use for any other purpose.
Article 55 states that pertinent records regarding the patient's care.
every individual has the right to access Coordinating care among multiple health care confidential health information that a health providers and documenting and monitoring the service provider stores.
This underscores the provided care is crucial.
significance of controlled and secure access to Article 10 of the Indonesian Minister of health information.
Additionally.
Article 52 governs Health Regulation No.
269/Menkes/Per/i/2008 the patient's entitlement to receive health on Medical Records stipulates strict confidentiality information that is transparent, truthful, and regarding patients' identity, diagnosis, medical The objective of this legal history, and treatment.
This information must be framework is to enhance the quality of health protected by healthcare professionals and facility services and safeguard patients' privacy rights.
However, disclosure may be permitted The implementation of this law in society under specific conditions, such as: .
for the continues to encounter a variety of obstacles.
benefit of the patientAos health.
at the request of Many health facilities, particularly those located in law enforcement with a court order.
based on remote locations, struggle to maintain the the patientAos request or consent.
at the request confidentiality of medical records due to of other institutions under statutory authority.
inadequate technology and human resources.
for research or educational purposes, provided Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro the patient's identity is not revealed.
In addition, explicit written consent from the patient or their all requests for medical records must be legal heirs must be obtained.
However, patient submitted in writing to the head of the health consent is not required when medical records are used for state interests in the context of research Article 10 paragraphs .
, .
, and .
and education, provided that confidentiality is still stipulate that access to or disclosure of medical records to other parties requires the patient's Article 13 of Minister of Health Regulation consent, except for specific purposes like law Number 269/MENKES/PER/i/2008 governs the enforcement or court requests.
This aims to management of medical records, including the ensure that patient medical information remains production, storage, and use of patient health confidential and protected from unauthorized In line with recognized medical Health workers are also required to ethical principles, its execution highlights the need provide adequate explanations to patients to keep data secret.
Compliance with such rules, regarding the purpose and benefits of collecting as Indriyati pointed out, helps lessen the medical data (Sanjoyo, 2.
likelihood of privacy breaches and boosts As stated in Article 13, this Minister of patients' faith in the healthcare system.
Within this Health Regulation requires standard operating framework, the execution of this article also urges procedures to protect the confidentiality of healthcare providers to guarantee that only medical records.
There will be both administrative authorized individuals with valid medical needs and technological safeguards in place to stop the may access patient information (Indriyajati.
Jawa, disclosure or abuse of sensitive data.
The goal of & Utomo, 2.
implementing this rule is to ensure that patients' The goal of Indonesia's Law Number 44 of medical data remains private, giving them peace 2009 on Hospitals is to ensure that all patients' of mind when seeking healthcare.
medical records remain private by regulating According to Article 13 of the Minister of several areas of hospital administration, including Health Regulation No.
269 of 2008 on Medical the protection of patient data.
Article 32I Records, the use of medical records is limited to guarantees the right to privacy and secrecy for all specific purposes such as patient healthcare, law medical records and information about a patient's enforcement proceedings, professional discipline.
Article 44.
Paragraph 1, states that research and education, cost regulation, and "Hospitals can refuse to disclose any information health statistics.
If the use of medical records to the public relating to medical secrets.
" This involves identifying patient data, especially for law provision guarantees the legal protection of enforcement or personal request purposes.
Article 44.
Paragraph 1 of Law Number Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro 44 of 2009, which regulates hospitals, protects Health Service Facilities may refuse to hospitals legally from the public disclosure of disclose any information to the public relating sensitive medical information.
Information about to the patient's health secrets, except based the patient, their diagnosis, and the care they on the provisions as provided in Article 4 received may be considered medical secrets, and paragraph .
the hospital may choose not to divulge it.
Doing Furthermore.
Article 296 of Law Number so prevents unauthorized parties from gaining 17 of 2023 states that patient medical records access to or misusing, patients' medical records must be maintained and kept confidential by (Yustina, 2.
specific obligations.
Paragraph .
explains these The government enacted Law 17 of 2023 in responsibilities, stating: AuEvery medical worker the health field to enhance the standard of health and health worker who provides individual health services, safeguard the public, and regulate the services is required to keep a medical record.
powers and duties of health professionals.
the event, as intended in paragraph .
, it is Changes in health care technology and the carried out at a Health Service Facility other than lessons learned during the COVID-19 epidemic an independent practice place, the maintenance Indonesia's of medical records is the responsibility of the healthcare system, which in turn led to the Health Service Facility.
Medical records as passage of this legislation.
We will build this intended in paragraph .
must be completed reform around six pillars: primary care, referral immediately after the patient has finished services, health security, financing, human receiving health services.
Each medical record resources, and health technology, all aimed at entry must contain the name, time, and signature promoting a robust and healthy Indonesian of the Medical Personnel or Health Personnel We anticipate that this law will also providing the service or action.
Medical records provide legal protections for health care providers.
as intended in paragraph .
must be kept and This health law has the potential to improve the kept confidential by Medical Personnel.
Health health of the Indonesian people by ensuring that Personnel, and leaders of Health Service they have access to top-notch healthcare Facilities.
Ay (Kesuma, 2.
Article 301 paragraph .
of Law No.
17 of Law Number 17 of 2023 contains patient 2023 addresses patient health confidentiality and Patient Confidentiality rights, as Article 177 states constitutes the final provision related to health Patient Confidentiality.
It states: AuEvery Medical Every Health Service Facility must keep the Personnel and Health Personnel in carrying out patient's personal health secrets.
Health Services is obliged to keep the patientAos Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro personal health secrets.
Disclosure of the National Standardization Agency, along with patientAos personal health secrets as intended in documentation and evidence certification from paragraph .
can be carried out for certain independent institutions like ISO or HIMSS.
purposes as intended in Article 4 paragraph .
Ay Additionally, these systems must be able to This provide technical support and maintenance confidentiality while recognizing that exceptions throughout the contract period.
A business license are permissible under clearly defined legal from the Ministry of Communication and Information is also required (Akbar, 2.
Indonesian Medical Privacy Data There are many important ways in which Processing hospitals and patients may benefit from hospital Hospital management information systems management information systems.
In order to and related technology have improved efficiency in the storage, processing, and interchange of administrative procedures, and improve the medical data (Rahmouni.
Essefi, & Ladeb, 2.
efficiency of health services, hospitals may use In order to better manage their data and service operations, hospitals might benefit from using a Healthcare facilities can reduce patient wait times Hospital Management Information System.
and streamline administrative tasks by integrating hospital's management information system (HIS) is a computer program that streamlines and payment processing.
Protecting patient privacy unifies the flow of all business operations related and adhering to privacy standards are two of to health services.
It does this via an hospital management information systems' most interconnected web of reporting, coordination, important functions.
Medical facilities have a and administrative procedures that allow for the responsibility to safeguard their patients' personal efficient and correct retrieval of data (Muntari et information by implementing measures to prevent , 2.
The Minister of Health Regulation No.
82 of these regulations A number of challenges have impeded the Every rollout of HMIS in Indonesian hospitals.
Because healthcare facility is mandated to establish a they do not have thorough IT management, several hospitals still have trouble deploying according to this rule.
Hospital Management HMIS.
The internal development of a hospital Information Systems must meet the standards management information system requires a and requirements of the Health Ministry and substantial investment of time, energy, and in Indonesia.
alteration (Situmorang, 2.
2013 establishes the guidelines for the application Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro Therefore, it is prudent to select a suspension, or other punishments (Rahayu, provider who offers a hospital management information system.
The Indonesian Hospital There have been problems with patient Management Information System has reported multiple instances of data breaches.
The Arifin aforementioned law regulates the secrecy of Achmad Regional General Hospital in Riau patient health data.
One of the factors that might Province, for example, has seen a significant contribute to breaches involving medical data improvement in the efficiency and effectiveness of leakage is a lack of stringent oversight and control its operations across all departments after over medical data.
Another cause of data leakage implementing a hospital management information infractions is a lack of understanding of the rules However, hospitals must exercise and regulations in place (Susanto, 2.
extreme caution while handling patient data in Health data security breaches in the United order to prevent data breaches when using a Arab Emirates (UAE) are subject to penalties and law enforcement action according to a number of Although HMIS has the potential to increase pieces of legislation, the most recent of which is Federal Law No.
2 of 2019, which lays out the systems increase the danger of data breaches rules in detail.
Articles 25 and 26 of this Law, (Rifly, 2.
among others, stipulate that any breach of the Sanctions and Enforcement for Violations rules governing the gathering, processing, or Medical Patient Confidentiality transmission of health data may result in an Compared Between the United Arab administrative punishment of up to a specified Emirates (UAE) and Indonesia More significant infractions may trigger The UAE and Indonesia both prioritize further legal action, including criminal prosecution.
personal data security by enforcing penalties and Article 27 may enforce administrative penalties for sanctions against breaches of patients' medical infractions of this legislation.
Patient Confidentiality.
When people break the A substantial monetary punishment is one laws or norms that society has set up, the system possible administrative consequence.
the exact responds by imposing sanctions.
Sanctions, in amount may vary according to the severity of the Rahayu's view, are a means of disciplining breach and its effect on the security of protected wrongdoers and discouraging repeat offenses.
health information.
This law empowers authorities Depending on the seriousness of the offense, the to investigate incidents, gather evidence, and take offender may be subject to fines, jail time, license appropriate action to prevent or remediate health data breaches.
The penalties for violating this Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro legislation, as stated in Article 28, might include system information temporarily or permanently.
the suspension, revocation, or restriction of Administrative penalties may be as high as fifty licenses or permits given to companies engaged million UAE dirhams .
bout thirteen and a half in health data management, as well as the million dollar.
or five percent of the offending temporary or permanent termination of such entity's total yearly turnover.
It is believed that permissions or licenses .
an Velthoven et al.
these penalties will serve as a powerful The purpose of these regulations is to organizations to adhere to the requirements of protect individuals' privacy and lessen the Federal Decree-Law No.
45 of 2021 on the likelihood of misuse or unauthorized access to careful management and protection of personal sensitive information by ensuring that all parties data, particularly health records.
engaged in the acquisition, processing, or storage Regarding Federal of health data in the UAE adhere to stringent Decree-Law No.
45 of 2021 gives the Data standards in the protection of personal data.
Protection Committee the authority to investigate including health data.
Yes, this.
By passing suspected violations, collect evidence, and take Federal Law No.
2 of 2019, the United Arab action by applicable legal provisions.
This Emirates reaffirms its will to tackle the modern committee has the authority to order the violating data security crisis head-on by implementing company or organization to correct the violation, robust measures to safeguard all health records.
or, in the case of a serious violation, to refer the Additionally.
Federal Decree-Law No.
45 of violation to court for further resolution by 2021 pertaining to Personal Data Protection applicable criminal or civil laws in the UAE regulates penalties and the implementation of (Alostad.
Steinke, & Schafheutle, 2.
laws pertaining to the protection of health data.
Even in Indonesia, there have been Article 21 of Federal Decree-Law No.
45 of 2021, violations of medical Patient Confidentiality rules.
which pertains to personal data protection.
According to Cyber Security Researcher Teguh emphasizes administrative penalties for data Aprianto, the Data Inspection Team plans to file a protection law infractions.
This article says that if lawsuit against the party responsible for the you break the rules in Federal Decree-Law No.
unauthorized disclosure of 279 million patient of 2021 about Personal Data Protection, you can be fined, given written warnings, lose your Administration for Health.
There are strong permission to process personal data, have data suspicions of data breaches involving sensitive information such as Social Security Administration permanently, or be blocked from accessing participant card numbers, office codes, family Indonesia's Social Security Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro details, health insurance dependents, and warrants accountability.
It follows that every insurance payment statuses, according to Dedy individual has the right to seek redress for Permadani (DA, 2.
In light of this breach, the damages caused by the publication of health state must take measures to secure the personal information, as stated in paragraph one of Article health information of its citizens and bring those responsible to justice Similarly.
Article 48, paragraph 1, of the Law Number 36 of 2009 Concerning Health Constitution of 2004 (Regarding Medical Practic.
mandates that medical professionals .
octors, states that all dentists and doctors are required to nurses, and hospital.
maintain the privacy of maintain the confidentiality of any information they patient information and refrain from disclosing it to learn while treating patients, including but not limited to any findings made during treatment and So, it's obvious that those who documented in the patient's medical record.
breach patient privacy by making their information Private and protected patient medical records.
public have broken the law.
Article 38, paragraph 1, of Law Number 44 Legislation, specifically Number 36 of 2009 of 2009 concerning hospitals emphasizes the concerning health, expressly prohibits careless legal basis governing the confidentiality of patient individuals from disclosing patients' personal information in Indonesia and states that not only information, as stated in Article 57 paragraph .
doctors and dentists but also hospitals are of the Constitution.
As stated by health care required to maintain medical secrets.
According to professionals, often known as health workers, this article, all healthcare facilities are required to every individual has the right to access keep patient records private.
This category information about their health status.
Everyone includes everything required for medical care, who commits themselves to health care, has including personal details, medical history, test formal education in the field, and, in the case of certain occupations, needs formal authorization to implementing Article 38, paragraph .
, is to practice what they preach, is considered a health safeguard patients' right to privacy and prevent worker in this article.
abuse or unauthorized access to sensitive The As previously mentioned, the disclosure of As a result of this regulation, patient personal data, specifically the patient's healthcare facilities must establish and adhere to identity and health status, to third parties who stringent protocols for patient data management, violate the regulations outlined in Article 57 including secure storage, appropriate access, and paragraph .
of Law Number 36 of 2009 about use of data in line with clinical requirements.
The health constitutes a violation of the law and overarching goal is to adequately safeguard Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro patients' private rights by relevant legal concepts a maximum of nine months or a fine of up to and medical ethics, while also preserving public Rp.
9,000.
trust in health services.
This law combines the provisions of the Law No.
36 of 2009 on Health, which deals Criminal Code and the Constitution for Medical with law enforcement matters, does not specify Practice to penalize individuals or entities that sanctions for violations of Article 57.
However, violate patient privacy by disclosing their medical other laws govern punishments.
for example.
Law records or other personal information.
This 29 of 2004 governs medical practice.
Article 51, includes medical professionals, hospitals, and Letter C of the Medical Practice Law, addressing other service providers in the health industry.
the safeguarding of personal information, asserts Moreover, we can classify the reaffirmations into the following:
the following categories: The Constitution No.
"A doctor or dentist in carrying out medical of 2016 pertains to Top Amendments, while practice must keep everything he knows about Constitution No.
11 of 2008 addresses Electronic a patient confidential, even after the patient Information and Transactions.
As stated in the first paragraph of Article 26.
If there is a violation of the above article, there will "Unless otherwise determined by statutory be legal consequences, as regulated in Article 79, regulations, the use of any information via letter c of Law Number 29 of 2004 concerning electronic media that concerns a person's data Medical Practice, the article states that:
must be carried out with the consent of the AuSentenced with imprisonment for a maximum person concerned.
of 1 .
year or a fine of a maximum of Rp.
Articles 27Ae37 also prohibit activities 50,000,000.
ifty million rupia.
, every without rights and the intentional misuse of doctor or dentist who: deliberately does not electronic information that could harm others, in fulfill the obligations as intended in article 51 addition to paragraph .
of Article 26.
According letter a, letter b, letter c, letter d, or letter e.
to Article 46, paragraph .
, the penalties for a This confidential data can also apply to parties or violation can be as high as 7 years in prison and a individuals because of their position as regulated fine of up to 700,000,000 Rp.
On the other hand, by the Criminal Code.
Article 322, paragraph .
if it is proven that a third party has violated the of the Criminal Code states that:
misuse of personal data, met the criminal "Anyone who deliberately discloses a secret elements of that offense, and caused loss as a which, according to his position or occupation, result, that person can be punished with up to 12 whether current or previous, is required to years in prison and/or a fine of up to 12,000,000 keep it, shall be punished by imprisonment for Rp.
A person is threatened with a maximum fine Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro of Rp.
1,000,000,000 and/or imprisonment for a or ignorance.
A person's obligation, as stated in maximum of 6 years in Article 45A paragraph .
Article 1367 of the Civil Code, extends to losses if, intentionally and without authorization, they inflicted by others who are dependent on him or spread hoaxes or false news and mislead who are under his supervision.
The three articles that make up the Civil Code make it clear that transactions as intended in Article 28 paragraph when an individual or their dependents suffer .
financial harm as a result of another's illegal Furthermore, the Civil Code also regulates behavior, the Civil Law Act specifies how this unlawful acts that harm other people, namely in harm might manifest.
Articles 1365, 1366, and 1367, including as Comparison of UAE and Indonesia Health Data Laws Article 1365.
The health data protection legislation in the AuEvery unlawful act that causes harm to UAE and Indonesia places an emphasis on the another person requires the person whose need for collecting and recording personal data in fault it was to cause the loss to compensate a legitimate, fair, and transparent way to ensure for the loss.
legitimacy, justice, and transparency.
These Article 1366.
commonalities highlight the significance of "Every person is responsible not only for adhering to ethical and legal norms while dealing losses caused by his actions, but also for with personal data.
However, as stated explicitly losses caused by negligence or lack of care.
in Federal Decree-Law No.
45 of 2021, the United Article 1367.
Arab Emirates provides more detailed instructions "A person is not only responsible for losses on this concept.
The Federal Decree-Law No.
caused by his actions, but also for losses of 2021 highlights the significance of explicitly caused by the actions of people who are his defining permission as the foundation of dependents or caused by goods under his legitimate data processing procedures, along with the ideals of accountability and openness.
In light of the above, it is easy to see how Particular to the United Arab Emirates is the fact Article 1365 of the Civil Code lays forth the that local law protects individuals' privacy by responsibilities that third parties have when they granting them certain rights, such as the ability to engage in illegal activities.
Furthermore.
Article see and amend their data.
This improves patient 1366 of the Civil Code stipulates that an individual bears liability for any harm they inflict upon transparent handling of their data (Weber.
Zhang, another, particularly in instances of carelessness & Wu, 2.
Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro These two state statutes recognize the The United Arab Emirates has rules that importance of limiting data usage, ensuring the relevance of personal data, and providing users quantifiable penalties for managing medical with restricted access.
This regulatory approach Patient Confidentiality.
Authorities like the Data aligns with protecting individualsAo privacy and Protection Officer at the Dubai Health Authority To safeguard data against illegal or directly engage in effective legal enforcement against abuses of medical Patient Confidentiality.
destruction, or damage, and to adopt suitable The UAE Data Office is an independent body with technological and organizational safeguards, the the power to investigate violations of data rule mandates their implementation.
By Law no.
45 of 2021, those entrusted businesses, and enforce rules in order to with the care of patients' personal information guarantee the efficient implementation and must provide evidence of patients' permission enforcement of data protection legislation in the before dealing with such information.
Data user UAE.
Ensuring compliance with data protection officers must be able to provide evidence of the patient's permission, as stated in Article 6's first (Ghandour & Woodford, 2.
This is by paragraph .
of Article 10 of Minister Health Regulation In the meantime, there are regulations in Number place to safeguard medical data and ensure their 269/MENKES/PER/i/2008.
This shows that they consistent enforcement in Indonesia, but these are serious about safeguarding people's data rules are not always easy to implement.
rights and that they are committed to data Enforcement often encounters practical barriers, protection standards that are known across the such as limited public awareness, insufficient Both the UAE's and Indonesia's data institutional coordination, and a lack of trained privacy regulations have room for improvement, personnel within law enforcement and health however (Abouahmed.
Kandeel, & Zakaria.
Although there is less stringent law Clarifying the requirements and methods enforcement compared to the UAE.
Indonesia for gaining and withdrawing permission clearly provides a variety of legal sanctions for breaches and precisely is necessary to further expand the of medical Patient Confidentiality.
These penalties notion of patient consent for data users.
Judicial are more diverse and may include both oversight is necessary to protect the patient's administrative and criminal fines, depending on .
ata owner'.
rights and interests, even when the severity and intent of the violation.
data users have permission to access (ElGheriani & Hashish, 2.
There is a better-organized system in place to handle medical Patient Confidentiality in the Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro UAE, with penalties for infractions that are both UAE and Indonesia.
The UAE enforces a more obvious and difficult to ignore.
Indonesia has systematic and enforceable framework with well established laws to address breaches of patients' delineated punishments, whereas Indonesia has personal health information, but consistent instituted pertinent legal requirements but need enforcement of these laws is crucial for effective persistent enforcement to guarantee the proper protection of patients' medical records.
safeguarding of patients' medical information.
The table below compares the statutory rules pertaining to health data protection in the Table 3.
Comparison Between Health Data Protection in the UAE and Indonesia Aspect Patient Consent Rights of access and correction of data by patients Oversight and enforcement Penalty UAE Indonesia By law, patients' permission for Patient agreement is required data handling is required (Article for access to health records, 6 of Law No.
45 of 2.
to Article 10 paragraph .
of Ministerial Regulation No.
269/MENKES/PER/i/2008.
Patients have the right to view Patients have the right to access and rectify their personal and request correction or deletion of their data under Article 16 of Law No.
27 of 2022 on Personal Data Protection.
The Data Office.
Dubai Health There is no established, distinct Authority.
United Arab Emirates.
autonomous body.
Federal Law No.
2 of 2019 The maximum penalties are a contains Title 25.
Article 26, fine of IDR 50,000,000 or a jail Article 27, and Article 28.
The term of 1 year, as stated in penalties outlined in Federal Article 79.
Letter C, of Law Decree-Law 45 of 2021 also Number 29 of 2004 governing include: Administrative sanctions medical practice.
may reach up to fifty million United Emirates Dirhams .
,600,000 USD), 220,861,487,398.
4 IDR, or five percent of the offending agency's total revenue.
Source: (United Arab Emirates, 2.
(United Arab Emirates, 2.
(DPD PORMIKI DKI Jakarta, (Database Peraturan JDIH BPK, 2025.
(Database Peraturan JDIH BPK, 2025.
While both the UAE and Indonesia take United Arab Emirates has issued more specific precautions to secure citizens' personal health instructions in Federal Decree-Law No.
45 of information, there are also key distinctions.
The 2021, although both nations stress the need to Law Reform, 22.
, 2026, 82-112 Master of Law.
Faculty of Law.
Universitas Diponegoro follow ethical and legal norms while dealing with enforcement overseen by an autonomous body, personal data.
The UAE enforces its rules more the Dubai Health Authority.
These statutes stringently and places a greater emphasis on the provide clear sanctions, including substantial protection of medical data by the proper administrative fines and criminal liability against One of the UAE's autonomous violations, reflecting the stateAos firm commitment regulatory bodies is the UAE Data Office, which to data protection.
punishes those who violate patients' right to Conversely, while Indonesia has enacted privacy when it comes to their medical records.
multiple legal instruments, including Law No.
However, additional efforts are necessary to of 2004 on Medical Practice.
Minister of Health guarantee the consistent enforcement of the Regulation No.
269/MENKES/PER/i/2008, and legislation and the adequate legal framework in Law No.
27 of 2022 on Personal Data Protection.
Indonesia to address breaches of medical data enforcement remains fragmented.
There is no privacy (Adonara.
Ohoiwutun, & Taniady, 2.
dedicated autonomous oversight institution, and However, legal provisions such as Law No.
27 of regional disparities persist due to inconsistent 2022 on Personal Data Protection and Law No.
29 of 2004 on Medical Practice not only regulate Moreover, the normative gap penalties for violations but also provide the surrounding patientsAo right to access and rectify foundational legal framework for safeguarding their medical data poses a challenge, even patient data autonomy and privacy.
Despite their though Article 16 of Law No.
27 of 2022 existence, consistent enforcement and the technically recognizes such rights.
security of medical data remain areas where These findings suggest that Indonesia must practical implementation continues to face significant challenges.
independent oversight body, and harmonize overlapping laws to ensure effective and CONCLUSION consistent enforcement.
Strengthening legal The comparative study of medical data certainty and institutional capacity is crucial to protection laws in the United Arab Emirates (UAE) and Indonesia reveals significant disparities in especially in an era of increasing digitalization of legal enforcement, institutional frameworks, and health services.
Future research could focus on normative clarity.
In the UAE, the legal foundation evaluating how these frameworks operate in for health Patient Confidentiality is robust, practice, particularly in regions with limited grounded in Federal Law No.
2 of 2019 and infrastructure and administrative resources.
Federal Decree-Law No.
45 of 2021, with Law Reform, 22.
, 2026, 82-112
Master of Law.
Faculty of Law.
Universitas Diponegoro
REFERENCES